Summary
Admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE.
Details
The admin user can create a device with a malicious hostname as seen in the screenshot below.
The Log level can be any one of the following options, DEVEL,DEBUG,HIGH,MEDIUM,LOW and the log destionation should contain Logfile (Logfile only or Logfile and Syslog/Eventlog ) as seen in the screenshot below.
Furthermore, the admin can repeat the step 5 of the installation process by going to the following URL as seen in the screenshot below. During step 5 of the installation process, Cacti Log Path can be changed to the following php file as seen in the screenshot below.
URL: http://cacti_ip/cacti/install/install.php?data={"Step":"5","Eula":true}
File: /var/www/html/cacti/scripts/ss_host_cpu.php
NOTE: There is one other place in the application that lets the admin users change the Cacti Log Path, however it does not allow files with the .php extension to be used as Cacti Log path. The field in the installation process, however, does not complain about the files with the .php extension.
Warning: Do not forget to backup the php file as it will be overwritten.
www-data OS user that is running the web application has read/write/execute privileges on the aforementioned file along with the files below (any one of these files can be used as the log file to be poisoned).
/var/www/html/cacti/scripts/ss_webseer.php
/var/www/html/cacti/scripts/ss_host_cpu.php
/var/www/html/cacti/scripts/ss_gexport.php
/var/www/html/cacti/scripts/ss_hstats.php
/var/www/html/cacti/scripts/ss_host_disk.php
/var/www/html/cacti/scripts/ss_cpoller.php
Note that a new file name can also be entered as the Cacti log path and it will be created by the application as seen in the screenshots below.
After completing the step 5 of the installation process (completing only step 5 is enough, no need to complete the steps before or after it), Logs tab in the web UI shows the new file name as the log file path as seen in the screenshot below.
Moreoever, purging the logs as seen in the screenshot below to get rid of installation related logs is necessary since they, for some reason, break the RCE process.
After purging the logs, the admin user can go to the devices tab (under Management tab) and clicks on the malicious device name (device desription) to have the device's hostname end up in the logs as seen in the screenshots below.
Finally, simply going to the following URL executes id command (or any other command).
URL: http://cacti_ip/cacti/scripts/ss_host_cpu.php?cmd2=id
PoC
Warning: Do not forget to backup the php file as it will be overwritten.
- Create a device with malicious hostname as described the in the details section.
- Change the log destination and log level if needed as described the in the details section.
- Repeat the installation procedure to use the php file path as the Cacti log path as described the in the details section.
- Purge the logs as described the in the details section.
- Poison the logs by visiting the malicious device details as described the in the details section.
- Finally, visit the log file URL and add cmd2= as the query string as described the in the details section.
Impact
Remote Code Execution.
TayfunYelim Reporter
Summary
Admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE.
Details
The admin user can create a device with a malicious hostname as seen in the screenshot below.
The Log level can be any one of the following options, DEVEL,DEBUG,HIGH,MEDIUM,LOW and the log destionation should contain Logfile (Logfile only or Logfile and Syslog/Eventlog ) as seen in the screenshot below.
Furthermore, the admin can repeat the step 5 of the installation process by going to the following URL as seen in the screenshot below. During step 5 of the installation process,
Cacti Log Pathcan be changed to the following php file as seen in the screenshot below.URL: http://cacti_ip/cacti/install/install.php?data={"Step":"5","Eula":true}
File: /var/www/html/cacti/scripts/ss_host_cpu.php
NOTE: There is one other place in the application that lets the admin users change the Cacti Log Path, however it does not allow files with the .php extension to be used as Cacti Log path. The field in the installation process, however, does not complain about the files with the .php extension.
Warning: Do not forget to backup the php file as it will be overwritten.
www-data OS user that is running the web application has read/write/execute privileges on the aforementioned file along with the files below (any one of these files can be used as the log file to be poisoned).
Note that a new file name can also be entered as the Cacti log path and it will be created by the application as seen in the screenshots below.
After completing the step 5 of the installation process (completing only step 5 is enough, no need to complete the steps before or after it), Logs tab in the web UI shows the new file name as the log file path as seen in the screenshot below.
Moreoever, purging the logs as seen in the screenshot below to get rid of installation related logs is necessary since they, for some reason, break the RCE process.
After purging the logs, the admin user can go to the devices tab (under Management tab) and clicks on the malicious device name (device desription) to have the device's hostname end up in the logs as seen in the screenshots below.
Finally, simply going to the following URL executes
idcommand (or any other command).URL: http://cacti_ip/cacti/scripts/ss_host_cpu.php?cmd2=id
PoC
Warning: Do not forget to backup the php file as it will be overwritten.
Impact
Remote Code Execution.